In today's digital world, password security is more important than ever. While biometrics, one-time passwords (OTP), and other emerging forms of authentication are often touted as replacements to the traditional password, today, this concept is more marketing hype than anything else.
But just because passwords aren't going anywhere anytime soon doesn't mean that organizations don't need to modernize their approach to password hygiene right now.
The Compromised Credential Crisis
As Microsoft's security team put it, "All it takes is one compromised credential…to cause a data breach." Coupled with the rampant problem of password reuse, compromised passwords can have a significant and long-lasting impact on enterprise security.
In fact, researchers from Virginia Tech University found that over 70% of users employed a compromised password for other accounts up to a year after it was initially leaked, with 40% reusing passwords that were leaked over three years ago.
While the challenge of compromised credentials isn't exactly new for most IT leaders, they may be surprised to learn that their attempts to address the problem often create more security vulnerabilities.
Following are just a few examples of traditional approaches that can weaken password security:
- Mandated password complexity
- Periodic password resets
- Limitations on password length and character usage
- Special character requirements
A Modern Approach to Password Security
Given the vulnerabilities associated with these legacy approaches, The National Institute of Standards and Technology (NIST) has revised its recommendations to encourage more modern password security best practices. At the root of NIST's most recent recommendations is the recognition that human factors often lead to security vulnerabilities when users are forced to create a password that aligns with specific complexity requirements or forced to reset it periodically.
For example, when asked to use special characters and numbers, users might select something basic like "P@ssword1;" a credential that is clearly common and easily exploited by hackers. Another legacy approach that can have an adverse effect on security is policies that prohibit the use of spaces or various special characters in passwords. After all, if you want your users to create a strong, unique password that they can easily remember, why would you impose limitations around what this could be?
In addition, NIST is now recommending against periodic password resets and suggesting that companies only require passwords to be changed if there is evidence of compromise.
The Role of Credential Screening Solutions
So, how can companies monitor for signs of compromise? By adopting another NIST recommendation; namely, that organizations screen passwords against blacklists containing commonly used and compromised credentials on an ongoing basis.
This may sound simple enough, but it's important to select the right compromised credential screening solution for today's heightened threat landscape.
No Substitute for Dynamic
There are numerous static blacklists available online and some companies even curate their own. But with multiple data breaches occurring on a real-time basis, newly compromised credentials are continuously posted on the Dark Web and available for hackers to leverage in their ongoing attacks. Existing blacklists or ones that are only updated periodically throughout the year are simply no match for this high-stakes environment.
Enzoic's dynamic solution screens credentials against a proprietary database containing multiple billions of passwords exposed in data breaches and found in cracking dictionaries. Because the database is automatically updated multiple times per day, companies have peace of mind that their password security is evolving to address the latest breach intelligence without necessitating additional work from an IT perspective.
Screening credentials both at their creation and continuously monitoring their integrity thereafter is also an important component of a modern approach to password security. Should a previously safe password become compromised down the road, organizations can automate the appropriate action—for example, forcing a password reset at the next log-in or shutting down access entirely until IT investigates the problem.
The Path Forward
While NIST guidelines often inform best practice recommendations across the security industry, it's ultimately up to security leaders to determine what works best for their unique needs and tailor their strategies accordingly.
Depending upon your industry, company size, and other factors, perhaps some of the recommendations aren't appropriate for your business.
But with the daily barrage of cyberattacks showing no sign of abating and frequently being linked back to password vulnerabilities, it isn't easy to imagine an organization that wouldn't benefit from the additional security layer afforded by credential screening.
Find out more about Enzoic's dynamic password threat intelligence and how it can help reboot your approach to password hygiene here.